CN110224876B - Application layer DDoS attack and defense effectiveness measurement method - Google Patents

Application layer DDoS attack and defense effectiveness measurement method Download PDF

Info

Publication number
CN110224876B
CN110224876B CN201910571268.3A CN201910571268A CN110224876B CN 110224876 B CN110224876 B CN 110224876B CN 201910571268 A CN201910571268 A CN 201910571268A CN 110224876 B CN110224876 B CN 110224876B
Authority
CN
China
Prior art keywords
attack
defense
server
network
value
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910571268.3A
Other languages
Chinese (zh)
Other versions
CN110224876A (en
Inventor
赵小林
薛静锋
李跃
曾冲寒
吴美静
侯新宇
陈全保
张漪墁
徐浩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Institute of Technology BIT
Original Assignee
Beijing Institute of Technology BIT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Institute of Technology BIT filed Critical Beijing Institute of Technology BIT
Priority to CN201910571268.3A priority Critical patent/CN110224876B/en
Publication of CN110224876A publication Critical patent/CN110224876A/en
Application granted granted Critical
Publication of CN110224876B publication Critical patent/CN110224876B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses an application layer DDoS attack and defense effectiveness measuring method. The method can scientifically and effectively calculate the application layer DDoS attack and defense utility value, fully considers the application, physics, network and other layers, and is more comprehensive and objective. The method is based on the traditional sociology and engineering definition of behaviors and utilities, and analyzes and defines the attack and defense behaviors and utilities in the network; mapping a logic topological structure of a network system to a multidimensional affine space, wherein the number of performance indexes of network nodes is the dimension of the multidimensional affine space, and proving the mapping relation between a multidimensional super-parallel body and the state of the network nodes in the multidimensional Euclidean space; based on the volume, the state value of the network node is the volume of the corresponding multidimensional super-parallel body, so that the state of the network node can be scientifically and effectively quantified; meanwhile, in the selection of indexes, the application, physical, network and other layers are considered, and the application layer DDoS attack and defense effects are considered more objectively and comprehensively.

Description

Application layer DDoS attack and defense effectiveness measurement method
Technical Field
The invention relates to the technical field of network space security, in particular to an application layer DDoS attack and defense effectiveness measuring method.
Background
Distributed denial of service attacks (DDoS) are an incurable and avoidable means of attack. The most complex form of the distributed denial of service attack is an application layer DDoS attack, which generally blocks a Web server from providing normal Web services to legitimate users by occupying a large number of request queues of the Web server. How to comprehensively analyze attack influence values from the perspective of the network and users and how to provide proper defense to avoid resource waste when an attack occurs is a problem which is difficult to solve at present. In order to solve this problem, the security of the network system must be measured and evaluated while fully considering the security in the design stage of the network system. However, in the traditional network security assessment technical means, subjective human factors are often unavoidable. In the current application layer DDoS attack influence evaluation technology, a main evaluation calculation method is to calculate a certain definition which can represent attack influence and is provided in the method through the analysis of various observation indexes. In the current method, firstly, the definition is provided without a basis combined with the existing mature theory; secondly, visual results are rarely obtained to quantitatively calculate attack influence values; thirdly, the defense influence value is hardly analyzed by research, and a certain reference value is lacked.
For example, in the patent application, "a network security risk assessment method" (publication No. CN107204876A, inventor: high strength, Huangyuan Fei, forest stars, etc.), the security of a target network is dynamically assessed on the basis of static risk assessment by combining with an intrusion detection system, vulnerability detection, and a real-time attack event acquired by a third party. The method is based on the static risk assessment of the target network and the given static assessment result. And then, the dynamic change of the information of the threat and the vulnerability is analyzed by using a corresponding tool, and the alarm information generated by the intrusion detection system and the firewall is used as an important basis for evaluating the risk condition of the system. The evaluation of the scheme needs the support of the static risk evaluation result, and the evaluation of the static risk is inevitably influenced by subjective factors, so that the evaluation result is not completely objective.
The patent application "a quantitative network security protection strength evaluation method" (publication number: CN 108566307A; inventor: Liwaiong, Guo yu) generates a network security analysis model by collecting software behavior characteristics in network nodes, randomly selecting software behavior characteristics of partial nodes from software behaviors as software behavior analysis training data for training. And analyzing and evaluating the software behavior characteristics of all nodes in the software behavior characteristic library by using a machine learning algorithm, and finally calculating to obtain a quantitative network security protection strength evaluation result. However, in the software behavior feature selection process, the software behavior analysis training data is selected from part of node data randomly selected from the software behavior database, so that the software behavior feature selection is not comprehensive to a certain extent, and the comprehensiveness and integrity of the evaluation result are not strict.
The patent application "computer network security assessment based on description logic" (publication No. CN 105812381A; inventor: Tao, Xue, Liu Jie, etc.) describes the structural relationship of a local area network or other security systems by the concept, the individual and the relationship in the logical relationship and the description logic derivation rules, and derives and quantifies the security level of the analysis target system based on the description logic. On the basis, a safety evaluation formula is formed, and a network safety evaluation value is obtained through calculation. No description is given to a specific quantitative formula in the patent application, and only the safety assessment formula generator is used for generating the corresponding formula, and no specific mathematical model support is provided.
Therefore, at present, the influence of the application layer DDoS attack and the size of the defense measure action are difficult to evaluate.
Disclosure of Invention
In view of the above, the invention provides an application layer DDoS attack and defense utility measurement method, which can scientifically and effectively calculate an application layer DDoS attack and defense utility value, and fully considers the application, physical, network and other layers, so that the method is more comprehensive and objective.
The invention discloses an application layer DDoS attack and defense effectiveness measuring method, which comprises the following steps:
step 1, constructing an index matrix, wherein the index matrix is a diagonal matrix, and items on the diagonal are indexes of a server respectively; the indexes comprise application layer indexes, network flow indexes and hardware performance indexes;
step 2, acquiring index values of the server under different attack and defense effects, and acquiring a state value of the server based on the index matrix constructed in the step 1; the state value of the server is a determinant of the index matrix;
step 3, the change quantity of the state value of the server under the attack and defense action compared with the state value of the server under the attack and defense action 0 is the attack and defense action value of the server; and accumulating the attack defense effect value along the time, namely obtaining the attack defense effect value of the server.
Preferably, in the step 1, the following 6 indexes are selected: network throughput per second size, number of TCP segments, number of IP datagrams, access failure rate, average response time, and CPU occupancy.
Preferably, in the step 3, the attack defense value of the server is an average value of the attack defense values of the server in the attack defense time period.
Preferably, the attack action value of the application layer DDoS is a ratio of a state value of the server under attack to a state value of the server under normal operation; the defense function value of the server to the application layer DDoS is the ratio of the difference of the state values of the server before and after adding the defense measure under the same attack state to the state value of the server in normal operation.
Has the advantages that:
(1) the method is based on the traditional sociology and engineering to define behaviors and utilities, the attack and defense behaviors and utilities in the network are analyzed and defined, then the logical topological structure of the network system is mapped to the multidimensional affine space, the performance indexes of the network nodes correspond to the dimensionality of the multidimensional affine space, and the mapping relation between the multidimensional hyper-parallel body in the multidimensional Euclidean space and the state of the network nodes is proved; therefore, a new calculation mode of the state value of the network node is provided, namely the state value of the network node is the corresponding multidimensional super-parallel body volume, so that the state of the network node can be scientifically and effectively quantified; meanwhile, in the selection of indexes, the influence of the application layer DDoS attacking and defending effect on the safety of the server is comprehensively and integrally considered, and the application layer DDoS attacking and defending effect can be considered more objectively and comprehensively on the aspects of application, physics, network and the like.
(2) The method has the advantages that how much influence of each attack type, attack scale and attack strength combination on a target system is analyzed from the attack effect, and the advantages and defects of various attacks can be quantitatively analyzed, such as the resources required by the attacks, the increase of the attack effect along with the accumulation of the attack scale and the like. Compared with the existing application layer DDoS attack and defense influence calculation method, the attack effect can provide objective reference basis for the threat of the attack more specifically and practically. From some point of view, the calculation of the attack effect has certain practical significance.
(3) The size of the defense effect is analyzed from the perspective of the network bottom layer, and the security of the network system is rarely evaluated from the perspective of the defense effect in the current research field. The calculation method can quantitatively calculate the magnitude of the defense effect by comparing the attack effect calculation result with the threshold value, and provides a more intuitive defense function reference value. The survivability of the defense function is analyzed from the quality of the defense function, and the attack strength of each type of defense function against large scale can be calculated by the calculation method, so that an important basis is provided for defense construction.
(4) The application layer DDoS attack and defense influence value is explained from the utility layer, and the attack and defense utility is respectively obtained by using the average attack effect and the contrast result with defense by taking time as upper and lower limits. Compared with the traditional method, the method emphasizes the importance of the mathematical model, and selects the attack duration as the starting point and the end point of the attack. The average attack action is calculated after the attack action at each moment is calculated, and the magnitude of the attack action at this time can be visually represented on the basis of the rationality through the proposal of the average attack action, so that the calculation process of the utility is greatly simplified. Through utility calculation, the influence values of the attack action and the defense measure on the network system after one DDoS attack on the application layer is generated can be more reasonably, accurately and intuitively described.
Drawings
Fig. 1 is a diagram illustrating network status values.
Fig. 2 is a schematic view of the calculation of the attack and defense effects.
Fig. 3 is a flow chart of the attack and defense effectiveness measurement of the present invention.
Detailed Description
The invention is described in detail below by way of example with reference to the accompanying drawings.
The invention provides an application layer DDoS attack and defense utility measurement method, which is based on the definitions of traditional sociology and engineering on behaviors and utilities, provides relevant definitions of application layer DDoS attack and defense utility and the like and analyzes the properties of the application layer DDoS attack and defense utility by analyzing the characteristics of attack and defense behaviors in a network; then, by proving a mapping relation between an Euclidean space and a network logic topology, describing a network node state by using an n-dimensional super-parallel body in an n-dimensional Euclidean space, calculating the volume of the n-dimensional super-parallel body for estimating a state value of a network node, and providing a measurement index selection method and an application layer DDoS attack and defense utility correlation calculation method to obtain an application layer DDoS attack and defense effect and attack and defense utility; finally, the feasibility and the accuracy of the method are verified by using a simulation experiment.
Attack and defense utility related definition
The invention analyzes and defines the network attack and defense effectiveness from the sociology and engineering perspectives: the definition of behavior is analyzed socially and the definition of utility is analyzed ergonomically. The method comprises the following specific steps: according to the traditional sociology, the invention defines the attack and defense behaviors in the network as follows: from the objects of the network and the mutual relation among the objects, the attack behavior or the defense behavior refers to a series of state changes caused by the attack means or the defense means in the network, and the change of the network state caused by the attack process can be described as the attack behavior; the weakening of the attack effect by the defense means resulting in a change in the network state can be defined as a defensive action. By combining engineering theory and aiming at the effect of attack and defense behaviors in the network, the invention makes the following definitions: the attack and defense action refers to the reason that the attack and defense actions change inside the network system through a series of actions inside the network system, and the network state is changed through the action. For the effectiveness of attack and defense, the invention is defined as follows: utility is a basic metric that characterizes the performance of a system or protocol, and refers to the cumulative amount of action that a behavior has on an object over a certain range.
(II) proving of mapping relation between network logic topology and n-dimensional affine space
The topology of a computer network refers to the physical structure of nodes and wires formed by computer devices and transmission media in the network. The nodes are mainly divided into conversion nodes and access nodes, and transmission media are communication links; each network structure consists of nodes and their communication links. The network topology comprises a physical topology structure and a logic topology structure, and the common network logic topology structure comprises: star-shaped structures, bus-type structures, ring-shaped structures, tree-shaped structures, mesh-type structures, and the like.
The network logical topology can be mapped to affine space:
the elements in the set a may be mapped into the vector space V according to the link relationship between the elements of the object set a (the set of device nodes in the network system).
The mapping maps any pair of ordered points p and q in A into a vector in V
Figure GDA0002673603260000061
And satisfies the following conditions:
(1)
Figure GDA0002673603260000062
(2)
Figure GDA0002673603260000063
there is a unique point q ∈ A, such that
Figure GDA0002673603260000064
(3)
Figure GDA0002673603260000065
Thus, set a, i.e., the set of nodes in the network system, can be mapped as an affine space.
According to the definition of the attack and defense behaviors, the action and the efficacy in the first step, the attack and defense behavior process in the network system is analyzed, so that the fact that in a network logic topological structure, each node device can be regarded as an independent subspace in a network space, each index is a dimension according to the normal operation state of the node device and the collection of each index value after the attack behavior occurs, the directions of each index value in an n-dimensional coordinate system in the subspace are mutually vertical through the index dimension, and therefore the linear independence of a vector corresponding to each index value in an affine space can be obtained. Therefore, a network scene established based on the network logic topology structure can be deduced and can be described as an n-dimensional affine space, and a scene of a specific network behavior is a subspace of the n-dimensional affine space. Because the affine space is a generalization of the affine property of the euclidean space, each node in the network can be considered as an n-dimensional euclidean space.
(III) proving the mapping relation between the n-dimensional super-parallel body and the network state
In the process of attack/defense behavior occurrence of a certain node in a network topology structure, each index item of the node changes, the index dimension corresponds to the dimension of an affine space, namely, one index item of equipment corresponds to one vector in an n-dimensional Euclidean space, and n indexes can be described as n linearly independent vectors in the Euclidean space. According to the description defined by the n-dimensional super-parallel body, the index vector sets are proved to be the n-dimensional super-parallel body formed by the index vectors, namely the geometrical shapes of the nodes in the network space in Euclidean space, so that the geometrical body can be used for describing the states of the network nodes. From the physical meaning of a network topological structure, each index item of a network node is inevitably changed due to the occurrence of attack and defense behaviors in a network, and in the process of the attack and defense behaviors of a network node, because the dependency relationship among the index items of the node cannot be generated and the change is determined by the attack and defense effects, the index items can be regarded as mutually independent, and the change directions of the index vectors mapped to the n-dimensional space are not consistent, so that the indexes are n linearly independent vectors in the Euclidean space by mapping the index change in the network node to the n-dimensional Euclidean space corresponding to the node, and the network scene can be proved to be mapped to be an n-dimensional hyper-parallel body.
(IV) selecting method for measuring index
Because the application layer DDoS attack usually prevents the application layer DDoS attack from providing normal Web services for legitimate users by occupying a large number of request queues of the Web server, the attack and defense effectiveness of the application layer DDoS can be measured by calculating the state change of the server before and after the attack and defense occur. Therefore, in the selection of the indexes, the invention fully considers three layers of application, physics and network to reflect the influence of server attack, and selects the related indexes of network flow, such as the throughput of network per second, the number of TCP segments, the number of IP datagrams and the like; hardware performance indicators, such as CPU occupancy, memory usage, and the like; and application layer indexes such as average response time, access failure rate and the like. The present invention is not limited to the above-described indexes, as long as the security state, usability, and the like of the server can be sufficiently expressed. In this embodiment, the following six indexes are preferably measured: the network throughput per second, the TCP segment number, the IP datagram number, the access failure rate, the average response time and the CPU occupancy rate. The six index items can comprehensively and comprehensively describe the DDoS attack of the application layer, consider the influences of a network layer and a hardware layer, can be more perfectly used for analyzing the DDoS attack influence value, and has small subsequent calculation amount.
Application layer DDoS attack and defense utility correlation calculation method and mathematical modeling
(1) Network state value calculation method and mathematical modeling
The idea of the network state value calculation method is shown in fig. 1.
According to the invention, each equipment node in the network is regarded as each independent subspace in the network space, the equipment indexes are used as the dimensionalities of the subspaces and are mapped into the n-dimensional space, each index corresponds to a vector in the space, and the change of the numerical value of the node index means that the length of the corresponding vector can be changed. From the foregoing, the network node index vector may be mapped as an n-dimensional hyper-parallel body in an n-dimensional euclidean space, the state of the network node may be described by this geometric model (n-dimensional hyper-parallel body), and the current state value of the network node may be described visually by using the volume of the n-dimensional hyper-parallel body.
The specific calculation steps of the network state value are as follows:
first, an n-dimensional matrix is constructed. According to the selection of the indexes, n indexes are supposed to be selected, and the n indexes are m1、m2、m3、……、mn. According to the above demonstration, each index in the network node is a linearly independent vector in n-dimensional euclidean space V. Therefore, n indexes can be mapped to the vector dimension in the n-dimensional space, taking the preferred 6 indexes of this embodiment as an example, the 6 indexes can be mapped to the vector dimension in the six-dimensional space, and the vectors are respectively expressed as:
Figure GDA0002673603260000081
therefore, the 6-dimensional matrix composed of the 6 vectors can be represented as a diagonal matrix, i.e.:
Figure GDA0002673603260000091
and secondly, calculating the volume of the hyper-parallel body in the 6-dimensional Euclidean space. Volume V (m) of a hyper-parallel body composed of the above 6 vectors in 6-dimensional Euclidean space1,m2,…,m6) Comprises the following steps:
V(m1,m2,…m6)=V(m1,m2,…m5)·h6 (3)
wherein h is6Is m6About vector m1,m2,…m5Length of orthogonal component of the generated subspace, and V1(α)=|α|,α=m1,m2,…m6. Proved to be known:
Figure GDA0002673603260000092
wherein G (m)1,m2,…m6) Is a gram determinant, D is (m)1,m2,…m6) Determinant of coordinates under a certain set of orthonormal basis of V.
From this, the network state value at a certain time t is the determinant of the diagonal matrix M obtained in the first step. Setting the network state value as StThe specific calculation method comprises the following steps:
St=|M| (4)
and thirdly, calculating the arithmetic mean value of the network state in the attack occurrence process. To avoid the possibility of contingency on a certain state, the arithmetic mean of the state of the node over a period of time is taken to represent the security state of the network node over that period of time. Duration t of joint action of network nodes under attack and defense actioniThe network state value at each time point in (1,2, …, m) is
Figure GDA0002673603260000093
The arithmetic mean of the network states is therefore:
Figure GDA0002673603260000094
example 1, the network throughput rate, the TCP data segment transmission rate, the IP datagram transmission rate, the average traffic arrival time, the CPU occupancy rate, and the transaction failure rate of the 6-item index network node collected in the non-attack state are respectively 1/second, 2/second, 3/second, 1%, and 1%, where the average traffic arrival time and the transaction failure rate are averages. And calculating the state value S of the network node at the current moment.
The current index can form a diagonal matrix M as follows according to the formula (1) and the formula (2):
Figure GDA0002673603260000095
from equations (3) and (4), the 6-dimensional hyper-parallel volume mapped by the current network logical topology, that is, the state value S ═ M | ═ 6 of the network node.
(2) Attack and defense effect calculation method and mathematical modeling
The method for measuring the size of the attack is shown in fig. 2.
Based on the attack behavior received by the network node and the adopted defense behavior, the state value of the network node changes, and the attack and defense effects and the utility of the network node can be described by using the change quantity of the state value of the network node. The attack strength of the network node is preset to be 1, the defense foundation is preset to be 0, and the current attack method and the attack action under the attack strength are obtained by calculating the change rate of the state value of the network node caused by the attack action. When the initial value of the network node is set to 0, that is, when no defense measure is added, the attack action is equal to the state value of the network node, and a method for calculating the size of the defense measure action can be deduced by using this idea. Based on the characteristic of the variability of the attack and defense behaviors, in order to ensure the universality of the calculation result of the attack and defense effects, the average attack effect is obtained by selecting a certain time period of the attack intensity after the change of the attack intensity is analyzed by judging the attack effect at each moment, so that the peak value and the lowest value of the attack effect are eliminated, and the purpose of comprehensively describing the attack effect is achieved.
The approximate routes of attack and defense calculations are shown in table 1, with the time span being constant. Table 1 lists the change values of the attack effect caused by the change in the attack intensity and the change amount of the defense effect caused by the accumulation of the defense measures under the condition that the attack effect is in a certain time span. In order to more conveniently and clearly illustrate the variation of the attack defense effect along with the attack strength and the accumulated defense strength, the data in the table are abstract values and do not represent the specific attack strength and defense strength.
TABLE 1 attack and defense effect size simulation calculation table
Figure GDA0002673603260000101
Figure GDA0002673603260000111
Establishing a state value calculation model according to the state value, adopting a threshold value selection method for selecting the node state value within 1-5 hours which has the most stable data fluctuation and relatively accords with the legal access behavior track of a normal user as a threshold value through analyzing related indexes such as server performance data record, network analysis, application program service and the like, selecting a section of network normal operation state and calculating to obtain the state value S of the network normal operation state0. When the attack effect occurs, the size of the variation of the network state value can be described by the attack effect. I.e., the degree of change after the change in the network state value is compared to a threshold value after the network is attacked.
1. Attack computation model
Let when the attack strength is X, at time t1Network state value of S1. The effect of the attack at each moment
Figure GDA0002673603260000112
The calculation method comprises the following steps:
Figure GDA0002673603260000113
the average attack force calculation method comprises the following steps:
Figure GDA0002673603260000114
example 2. the 6-item index network throughput rate, the TCP data segment transmission rate, the IP datagram transmission rate, the average traffic arrival time, the CPU occupancy rate, and the transaction failure rate of the collected network nodes in the normal operation state are respectively 1/second, 2/second, 3/second, 1%, which are average values. When the attack occurs, the average size of each index value in the attack process is respectively 10/second, 20/second, 30/second, 10 percent and 10 percent, and the average attack action size at this time is calculated.
The values given in the example are average values, so the average network state value can be calculated directly. The average network state value S is obtained by formula 1, formula 2 and formula 5 under the normal operation stateNIs composed of
Figure GDA0002673603260000115
Averaging network state values S during an attack occurrenceAIs composed of
Figure GDA0002673603260000121
According to the formula 7, the average attack magnitude in the attack occurrence process is obtained
Figure GDA00026736032600001210
Has a value of
Figure GDA0002673603260000122
2. Defensive action computational model
When the attack strength is X, the network state value is s under the state that no defense measure is added in the system1Then the attack effect at time t1 may be set according to equation 6
Figure GDA0002673603260000123
If defense measures D are added into the system at this time, the network state value is S1', the effect of the attack is changed to
Figure GDA0002673603260000124
The amount of change in attack is noted
Figure GDA0002673603260000125
As deduced from equation 6, the defense effect at time t1 is calculated as:
Figure GDA0002673603260000126
the average defense acting force calculation method comprises the following steps:
Figure GDA0002673603260000127
example 3, based on the data in example 2, the average size of each index value in the attack process after configuring a certain defense technology for the target network node is 5/s, 10/s, 15/s, 5%. The magnitude of this defense was calculated (the results were accurate to the last two decimal places).
The average network state value S after configuration defense is obtained from formula 1, formula 2 and formula 5DIs composed of
Figure GDA0002673603260000128
The average defense effect in the attack and defense fight process is obtained by the calculation results in the formula 8 and the example 2
Figure GDA00026736032600001211
Is composed of
Figure GDA0002673603260000129
(3) Attack and defense utility calculation method and mathematical modeling
The action utility value may account for the total amount of attacks the attack has on the network node over the attack duration and the total defense that the defense has played over the attack-defense duration. In one application layer DDoS attack, the attack flow of an attack party is not constant under normal conditions, and the influence of the flow in the network is limited by various factors. The representation of the attack effect therefore gives the size of the attack at a certain point in time but does not reflect the impact of the attack during the whole attack. On the basis of research of the threshold, the size of the attack effect at each moment can be obtained after the attack occurs, and the attack effect can show the influence value of the secondary attack type in the whole attack occurrence process, namely, the effect is the sum of the effects and is the cumulative quantity of the attack effect changing along with time. The attack effect is set to be F, when the threshold is set and selected, the attack effect is 0, and the attack effect is also 0. If the attack occurs, the attack action at the time t1 is F1, the attack action at the time t2 is F2, and the attack action at the time tn is Fn. Based on the setting of the threshold value, the calculation method of the attack utility E is
Figure GDA0002673603260000131
The value of the effectiveness of the attack and defense represents the cumulative amount of the attack and defense effects, because the effects of the attacker and the defense means cannot be constant in actual operation during the attack and defense process. Therefore, in the evaluation process, two utility values acting in the whole process need to be obtained, namely the utility values can indicate the total effect quantity of the attack and defense action in the attack and defense process.
According to the calculation results obtained by the formula 7 and the formula 9, the attack strength is X, the defense strength is Y and the average attack acting force is recorded as X within the attack duration time t
Figure GDA0002673603260000132
The average defense force is
Figure GDA0002673603260000133
Then utility of attack EAAnd defense effectiveness EDThe calculation methods are respectively as follows:
Figure GDA0002673603260000134
Figure GDA0002673603260000135
according to the calculation result of the attack and defense utility value, the attack effect of how many current attack types can be resisted by the defense measure can be obtained, so that the concept of defense efficiency can be provided. According to the formula 10, when the defense is 0, it can be obtained that the attack utility value is E within a certain time tA. After the current system sets up to add defense measures, the attack effectiveness is EA'. Defense efficiency DEThe calculation method comprises the following steps:
Figure GDA0002673603260000141
example 4 on the basis of the assumed data in example 3, assuming that the duration of the attack and defense confrontation is 60 seconds, the attack and defense effectiveness E in the process is calculatedAAnd EDRespective size and defense efficiency DE
According to the formulas 11 and 12, in the process of attack and defense opposition, the respective sizes of the attack and defense effects are as follows:
Figure GDA0002673603260000142
Figure GDA0002673603260000143
defense efficiency DEThe size is as follows:
Figure GDA0002673603260000144
in summary, after a series of specific index items are obtained through data acquisition methods such as performance monitoring, traffic statistics, and packet interception, quantitative description of the state of each network node is performed by using a combination of the index items, so as to calculate the state of each network node when an attack occurs. According to the change of the state of the network node, the current attack and defense effect can be analyzed and calculated, so that an attack and defense utility value is obtained, and a specific flow chart is shown in fig. 3.
In summary, the above description is only a preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (4)

1. An application layer DDoS attack and defense effectiveness measurement method is characterized by comprising the following steps:
step 1, constructing an index matrix, wherein the index matrix is a diagonal matrix, and items on the diagonal are indexes of a server respectively; the indexes comprise application layer indexes, network flow indexes and hardware performance indexes;
step 2, acquiring index values of the server under different attack and defense effects, and acquiring a state value of the server based on the index matrix constructed in the step 1; the state value of the server is a determinant of the index matrix;
step 3, the change quantity of the state value of the server under the attack action compared with the state value of the server under 0 attack and 0 defense is the attack action value of the server; the accumulation of the attack effect value along the time is the attack effect value of the server; the ratio of the difference of the state values of the server before and after the addition of the defense measures to the state values of the server under 0 attack and 0 defense in the same attack state is the defense effect value of the server; and accumulating the defense effect value along the time, namely the defense effect value of the server.
2. The method for measuring utility of DDoS attack and defense at an application layer according to claim 1, wherein in step 1, the following 6 indexes are selected: network throughput per second size, number of TCP segments, number of IP datagrams, access failure rate, average response time, and CPU occupancy.
3. The application layer DDoS attack and defense utility measurement method according to claim 1, wherein in step 3, the attack effect value of the server is selected as an average value of the attack effect values of the server within an attack effect time period; and selecting the average value of the defense values of the servers in the defense time period according to the defense values of the servers.
4. The utility measurement method of DDoS attack and defense in application layer according to claim 1, wherein the attack effect value of DDoS in application layer is a ratio of a state value of the server under attack to a state value under normal operation; the defense function value of the server to the application layer DDoS is the ratio of the difference of the state values of the server before and after adding the defense measure under the same attack state to the state value of the server in normal operation.
CN201910571268.3A 2019-06-28 2019-06-28 Application layer DDoS attack and defense effectiveness measurement method Active CN110224876B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910571268.3A CN110224876B (en) 2019-06-28 2019-06-28 Application layer DDoS attack and defense effectiveness measurement method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910571268.3A CN110224876B (en) 2019-06-28 2019-06-28 Application layer DDoS attack and defense effectiveness measurement method

Publications (2)

Publication Number Publication Date
CN110224876A CN110224876A (en) 2019-09-10
CN110224876B true CN110224876B (en) 2020-11-20

Family

ID=67815272

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910571268.3A Active CN110224876B (en) 2019-06-28 2019-06-28 Application layer DDoS attack and defense effectiveness measurement method

Country Status (1)

Country Link
CN (1) CN110224876B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114866296B (en) * 2022-04-20 2023-07-21 武汉大学 Intrusion detection method, intrusion detection device, intrusion detection equipment and readable storage medium
CN116132080B (en) * 2022-05-29 2024-07-12 北京理工大学长三角研究院(嘉兴) Alliance chain DDoS defense method based on moving target defense technology
CN117873120B (en) * 2024-03-13 2024-05-28 中国民用航空总局第二研究所 State control method, device, equipment and medium of airport unmanned equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108282468A (en) * 2018-01-03 2018-07-13 北京交通大学 A kind of application layer ddos attack detection method and device
CN108900513A (en) * 2018-07-02 2018-11-27 哈尔滨工业大学 A kind of DDOS effect evaluation method based on BP neural network
CN108989090A (en) * 2018-06-22 2018-12-11 北京理工大学 Network state model building method and state evaluating method based on Differential Manifold
EP3427437A1 (en) * 2016-03-10 2019-01-16 Telefonaktiebolaget LM Ericsson (PUBL) Ddos defence in a packet-switched network
CN109768989A (en) * 2019-02-27 2019-05-17 重庆邮电大学 Networks security situation assessment model based on LAHP-IGFNN
CN109918914A (en) * 2019-03-14 2019-06-21 北京计算机技术及应用研究所 The information system attack defending ability integration assessment system and method for stratification

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107454108B (en) * 2017-09-18 2019-07-16 北京理工大学 A kind of network safety evaluation method based on Attack Defence effectiveness
CN108769042B (en) * 2018-06-06 2020-07-10 北京理工大学 Network security risk assessment method based on differential manifold

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3427437A1 (en) * 2016-03-10 2019-01-16 Telefonaktiebolaget LM Ericsson (PUBL) Ddos defence in a packet-switched network
CN108282468A (en) * 2018-01-03 2018-07-13 北京交通大学 A kind of application layer ddos attack detection method and device
CN108989090A (en) * 2018-06-22 2018-12-11 北京理工大学 Network state model building method and state evaluating method based on Differential Manifold
CN108900513A (en) * 2018-07-02 2018-11-27 哈尔滨工业大学 A kind of DDOS effect evaluation method based on BP neural network
CN109768989A (en) * 2019-02-27 2019-05-17 重庆邮电大学 Networks security situation assessment model based on LAHP-IGFNN
CN109918914A (en) * 2019-03-14 2019-06-21 北京计算机技术及应用研究所 The information system attack defending ability integration assessment system and method for stratification

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
A Method for Calculating Network System Security Risk Based on a Lie Group;xiaolin zhao;《ieee》;20190611;第7卷;全文 *

Also Published As

Publication number Publication date
CN110224876A (en) 2019-09-10

Similar Documents

Publication Publication Date Title
CN110224876B (en) Application layer DDoS attack and defense effectiveness measurement method
Dain et al. Building scenarios from a heterogeneous alert stream
Bhaumik et al. Securing collaborative filtering against malicious attacks through anomaly detection
Labib et al. An application of principal component analysis to the detection and visualization of computer network attacks
CN111586046B (en) Network traffic analysis method and system combining threat intelligence and machine learning
CN112422537B (en) Behavior prediction method of network attack knowledge graph generated based on honeypot actual combat
CN109040130A (en) Mainframe network behavior pattern measure based on attributed relational graph
CN108494802A (en) Key message infrastructure security based on artificial intelligence threatens Active Defending System Against
CN108777641A (en) A kind of network system risk measure based on Lie group
CN110191137A (en) A kind of network system quantization safety evaluation method and device
CN114629674A (en) Attention mechanism-based industrial control network security risk assessment method
Rahmani et al. Joint entropy analysis model for DDoS attack detection
CN100373865C (en) Intimidation estimating method for computer attack
Reed et al. Simulation of workflow and threat characteristics for cyber security incident response teams
Easttom et al. An enhanced view of incidence functions for applying graph theory to modeling network intrusions
Picek et al. If you can't measure it, you can't improve it: Moving target defense metrics
Muhati et al. CyVi: Visualization of cyber-attack and defense effects in geographically referenced networks
Yan et al. Detect and identify DDoS attacks from flash crowd based on self-similarity and Renyi entropy
RU2672137C1 (en) Method for monitoring status of logical structure of communication network
Boldyrikhin et al. Controlling the resources of the intrusion detection system at network objects monitoring
Asadi et al. Modeling the Inter-arrival Time of Packets in Network Traffic and Anomaly Detection Using the Zipf’s Law
Nurohman et al. Traffic anomaly based detection: Anomaly detection by self-similar analysis
Berk et al. Generating realistic environments for cyber operations development, testing, and training
Celenk et al. Anomaly detection and visualization using Fisher discriminant clustering of network entropy
Man et al. A quantitative evaluation model for network security

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant